Description
Describe the bug
When Kibana alert rule is created with alerts_filter in alert action, if we use either kql or timeframe, the provider sets the other field in the API call which creates an error.
When using only timeframe in alerts_filter, TF is able to create the alert rule (Create API) but in the UI, it complains that the A custom query is required.. I believe this is because the Create API call adds empty query.
When using only kql in alerts_filter, TF just errors out. The apply fails with -
Failed with: {"statusCode":400,"error":"Bad Request","message":"[request body.actions.0.alerts_filter.timeframe.hours.start]: string is not a valid time in HH:mm format "}
because we did not add timeframe in it. ( I assume we do not need to add it if we do not need)
To Reproduce
Steps to reproduce the behavior:
=========================
TF configuration - when using "timeframe"
=========================
resource "elasticstack_kibana_alerting_rule" "test-alert-filters_timeframe" {
consumer = "stackAlerts"
enabled = true
interval = "1m"
alert_delay = 10
name = "test-alert-filters_timeframe"
params = jsonencode(
{
aggType = "count"
excludeHitsFromPreviousRun = false
groupBy = "all"
searchConfiguration = {
index = "*beat-*"
query = {
language = "kuery"
query = "service.name: abc"
}
}
searchType = "searchSource"
size = 100
sourceFields = [
{
label = "container.id"
searchPath = "container.id"
},
{
label = "host.hostname"
searchPath = "host.hostname"
},
{
label = "host.id"
searchPath = "host.id"
},
{
label = "host.name"
searchPath = "host.name"
},
]
termSize = 5
threshold = [
1000,
]
thresholdComparator = ">"
timeField = "@timestamp"
timeWindowSize = 5
timeWindowUnit = "m"
}
)
rule_type_id = ".es-query"
space_id = "default"
tags = []
actions {
group = "query matched"
id = "connector_id"
params = jsonencode(
{
subAction = "postMessage"
subActionParams = {
channelIds = [
"channel_id",
]
channels = []
text = "abc"
}
}
)
alerts_filter {
timeframe {
days = [
7,
1,
2,
3,
4
]
hours_end = "23:30"
hours_start = "00:00"
timezone = "Europe/Berlin"
}
}
frequency {
notify_when = "onActiveAlert"
summary = false
}
}
}
=========================
Expected behavior
========================
The expected behavior is that the configuration should only create the required action filter - timeframe as the TF plan shows :
Terraform plan -
# elasticstack_kibana_alerting_rule.test-alert-filters_timeframe will be created
+ resource "elasticstack_kibana_alerting_rule" "test-alert-filters_timeframe" {
+ alert_delay = 10
+ consumer = "stackAlerts"
+ enabled = true
+ id = (known after apply)
+ interval = "1m"
+ last_execution_date = (known after apply)
+ last_execution_status = (known after apply)
+ name = "test-alert-filters_timeframe"
+ params = jsonencode(
{
+ aggType = "count"
+ excludeHitsFromPreviousRun = false
+ groupBy = "all"
+ searchConfiguration = {
+ index = "*beat-*"
+ query = {
+ language = "kuery"
+ query = "service.name: abc"
}
}
+ searchType = "searchSource"
+ size = 100
+ sourceFields = [
+ {
+ label = "container.id"
+ searchPath = "container.id"
},
+ {
+ label = "host.hostname"
+ searchPath = "host.hostname"
},
+ {
+ label = "host.id"
+ searchPath = "host.id"
},
+ {
+ label = "host.name"
+ searchPath = "host.name"
},
]
+ termSize = 5
+ threshold = [
+ 1000,
]
+ thresholdComparator = ">"
+ timeField = "@timestamp"
+ timeWindowSize = 5
+ timeWindowUnit = "m"
}
)
+ rule_id = (known after apply)
+ rule_type_id = ".es-query"
+ scheduled_task_id = (known after apply)
+ space_id = "default"
+ tags = []
+ actions {
+ group = "query matched"
+ id = "connector_id"
+ params = jsonencode(
{
+ subAction = "postMessage"
+ subActionParams = {
+ channelIds = [
+ "channel_id",
]
+ channels = []
+ text = "abc"
}
}
)
+ alerts_filter {
+ timeframe {
+ days = [
+ 7,
+ 1,
+ 2,
+ 3,
+ 4,
]
+ hours_end = "23:30"
+ hours_start = "00:00"
+ timezone = "Europe/Berlin"
}
}
+ frequency {
+ notify_when = "onActiveAlert"
+ summary = false
}
}
}
Debug output
But as we see here, the kql filter is added. The alert creation works, but the alert shows an error (attached screenshot)
{
"actions": [
{
"alerts_filter": { ------> This is added
"query": {
"filters": [],
"kql": ""
},
"timeframe": {
"days": [
7,
1,
2,
3,
4
],
"hours": {
"end": "23:30",
"start": "00:00"
},
"timezone": "Europe/Berlin"
}
},
"frequency": {
"notify_when": "onActiveAlert",
"summary": false
},
"group": "query matched",
"id": "connector_id",
"params": {
"subAction": "postMessage",
"subActionParams": {
"channelIds": [
"channel_id"
],
"channels": [],
"text": "abc"
}
}
}
],
"alert_delay": {
"active": 10
},
"consumer": "stackAlerts",
"enabled": true,
"name": "test-alert-filters_timeframe",
"params": {
"aggType": "count",
"excludeHitsFromPreviousRun": false,
"groupBy": "all",
"searchConfiguration": {
"index": "*beat-*",
"query": {
"language": "kuery",
"query": "service.name: abc"
}
},
"searchType": "searchSource",
"size": 100,
"sourceFields": [
{
"label": "container.id",
"searchPath": "container.id"
},
{
"label": "host.hostname",
"searchPath": "host.hostname"
},
{
"label": "host.id",
"searchPath": "host.id"
},
{
"label": "host.name",
"searchPath": "host.name"
}
],
"termSize": 5,
"threshold": [
1000
],
"thresholdComparator": "\u003e",
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m"
},
"rule_type_id": ".es-query",
"schedule": {
"interval": "1m"
},
"throttle": null
}
Screenshots
If applicable, add screenshots to help explain your problem.
Versions (please complete the following information):
- OS: [e.g. Linux]
- Terraform Version : v1.6.6
- Provider version: 0.11.7 and above . This is causing TF to go into panic when this particular feature is used as we have several alert rules that need to use the feature.
- Elasticsearch Version : 8.13.2
Screenshot from UI after creating alert from UI
Add any other context about the problem here.
